Adult FriendFinder users get their privates exposed... again – reports

The sequel

Hundreds of millions of Adult FriendFinder (AFF) accounts appear to have been exposed once again.

A database of usernames, emails, and passwords of footloose and fancy free members, along with those from associated websites, has leaked and surfaced online.

The breach has not been confirmed by the site’s parent company FriendFinder Networks, which is reportedly looking into claims of yet ahother hack.

Breach notification site LeakedSource has reported that 339 million accounts on AdultFriendFinder and more than 60 million from sister site Cams.com were exposed by the breach. It claimed leaked data included 15 million "deleted" accounts that had not been correctly purged from the compromised AFF database, a copy of which has been obtained by LeakedSource.

LeakedSource has not made the database searchable but has published a breakdown of password frequencies and samples of file schemas from the leaked database to substantiate its claims, which remain unconfirmed but are nonetheless being taken seriously by security firms.

Certificate management firm Venafi claimed that private information such as passwords appeared to have been protected using only the obsolete SHA-1 hashing algorithm.

The apparent breach took place in October 2016, and included historical data for the past 20 years on six FriendFinder Networks (FFN) properties: Adultfriendfinder.com, Cams.com, Penthouse.com, Stripshow.com. iCams.com, and an unknown domain, according to web security firm High-Tech Bridge.

Last month a hacker known as Revolver or 1x0123 claimed he had gained access to the site’s backend servers through a Local File Inclusion hack before posting two screenshots purporting to show compromised data to his Twitter feed.

The latest breach follows a high profile hack in May 2015 that led to the leaking of 4 million records.

Security experts criticised that site for not doing enough to prevent a repeat breach.

David Kennerley, director of threat research at security software firm Webroot, commented:

“This attack on AdultFriendFinder is extremely similar to the breach it suffered last year…. even details of users who believed they deleted their accounts have been stolen again.

“It’s clear that the organisation has failed to learn from its past mistakes and the result is 412 million victims that will be prime targets for blackmail, phishing attacks and other cyber fraud,” he added.

“This breach on AdultFriendFinder is the second in as many years, which raises serious alarm bells. It’s clear the company has majorly flawed security postures, and given the sensitivity of the data the company holds this cannot be tolerated.”

El Reg contacted FriendFinder Networks via its web form inviting comment on the breach. We'll update this story as and when we hear back from the organisation. ®